Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5
Agenda Security Hardening vsphere 5.5 ESXi Architectural Review ESXi Software Packaging The ESXi Firewall ESXi Local User Security Host Logs and Activity Monitoring Understanding the Hardening Guidelines 2
ESXi Architectural Overview Secure by Design
ESXi Architectural Overview Full-featured hypervisor Superior consolidation, scalability & reliability Designed from the ground up to run VMs Small, light-weight and secure OS-Independent, thin architecture Digitally signed software packages Streamlined deployment and configuration Small code base with minimal configuration Rapid provisioning with stateless support 4
ESXi Architectural Overview Simplified hypervisor patching and updating Small code base produces fewer patches Easy recovery with dual-image architecture VMware and 3rd party components updated independently Memory Hardening Kernel, User mode applications & executable components are located at random, non-predictable memory addresses Trusted Platform Module(TPM) Leverages Intel TPM to provide attestation of hypervisor image based on hardware root of trust. 5
ESXi Architectural Overview Digital signatures ensure integrity of kernel modules Rich API allows agentless management CLI Commands for Configuration and Support Agentless System Management Agentless Hardware Monitoring VM VM VM VMware Management Network VMkernel Common Information Model Local Support Consoles Infrastructure Agents-NTP,Syslog VM Support & Resource Management 6
ESXi Software Packaging Security Starts Before You Install
vsphere Installation Bundles (VIBs) ESXi distributed as collection of vsphere Installation Bundles(VIBs) ~60 VIBs in VMware distribution ~300MB (~150MB with out VMware Tools) Additional 3rd Party/Partner VIBs also available VMware and Partner VIBs digitally signed 8
ESXi Image Profile Image Profile assigns an Acceptance Level VMware Certified VMware Supported Partner Supported Community Supported Only VIBs signed at or above the assigned Acceptance Level can be added to the Image Acceptance Level can be changed using ESXCLI 9
Modifying/Customizing Image Profiles Image Builder CLI Included with PowerCLI Create Image Profiles Add/Remove 3rd Party drivers Export Images ISO Image-boots host into ESXi Installer Import to Update Manager ZIP Used with Auto Deploy Offline repository 10
The ESXi Firewall Controlling Access to the Host
The ESXi Firewall ESXi management network protected by local firewall Non-essential incoming/outgoing traffic blocked by default Control service start-up on boot Ability to restrict access to range of IP addresses 12
The ESXi Firewall Firewall configurable from GUI, CLI and Host Profile 13
ESXi Shell & Local User Security
ESXi - User Model Security Enhancements Named users provides for more auditability Local users with admin privileges equivalent to root Users operate using their own account, full admin privileges Limit use of the root account 15
ESXi - Shell Timeout ESXiShellTimeOut Advanced setting used to set timeout for Shell/SSH availability ESXiShellInteractiveTimeOut (*new in 5.1*) Advanced Setting used to automatically timeout inactive Shell Sessions 16
ESXi - Lockdown Mode What is Lockdown mode Restrict users from logging in directly to the hypervisor Only vcenter (vpxuser) allowed to manage the host in lockdown mode ESXi Shell access denied for all users Why lock down your infrastructure? Single point of management for your infrastructure - through vcenter 17
ESXi Authentication through Active Directory To protect Active Directory domain user credentials use the VMware Authentication Proxy Included with the vcenter Server install media Uses certificate vs. storing/passing domain credentials Configure in Host Profile to prevent storing AD user credentials 18
ESXi and Active Directory cont. By default users in the Active Directory ESX Admins group are granted administrator access To disable this behaviour disable esxadminsgroupautoadd To change the group name set esxadminsgroup 19
Host Logs and Activity Monitoring
ESXi Improved Logging All administrator actions logged (commands executed) All authentication events logged successful & unsuccessful Direct Console activity is logged using the username instead if dcui user 21
ESXi Logs: Admin Activity on Hypervisor Shell 2012-07-10T13:03:43Z ESXShell: ESXi shell login enabled 2012-07-10T13:03:43Z SSH: SSH login enabled 2012-07-10T13:03:55Z ESXShell: ESXi Shell available 2012-07-10T13:03:57Z shell[1000047077]: Interactive shell session started 2012-07-10T13:03:59Z shell[1000047077]: [root]: vmware -vl 2012-07-10T15:49:02Z shell[1000064535]: Interactive shell session started 2012-07-10T15:49:06Z shell[1000064535]: [testuser]: ls -la 2012-07-10T15:49:15Z shell[1000064535]: [testuser]: cat /etc/passwd 2012-07-10T15:49:22Z shell[1000064535]: [testuser]: vi etc/passwd 2012-07-10T15:49:28Z shell[1000064535]: [testuser]: cat /etc/group 2012-07-10T15:49:38Z shell[1000064535]: [testuser]: cat /var/log/shell.log Time Stamp Username Command Executed 22
Hardening Guidelines Classification & Customization based on the environment needs
Define the Threat Model-ESXi 24
Risk Assessment & Control Leveraging the Hardening Guide Environment Profiling - Classification of environment based on security needs Types of Guidelines & Recommendation Levels Implementation 25
Environment Profiling Profile Environment Guidelines Profile 3 Enterprise Should be implemented in all environments Profile 2 DMZ Should be implemented for more sensitive environments, e.g. those handling more sensitive data, those subject to stricter compliance rules, etc. Profile 1 SSLF-Specialized Security Limited Functionality Should be implemented in the highest security environments, e.g. top-secret government or military, extremely sensitive data, etc. 26
Control Type Control Type Operational Definition Recommendations on how to operate or interact with the administrative components of the system. Configuration Recommends a certain configuration of components, either to reduce risk or to provide a compensating control Parameter Specifies a configuration parameter to enable or disable in specific products 27
Implementation - An abstract from the hardening guide Control Type Component Title Vulnerability Discussion Profile Parameter ESXI Disable HGFS Prevents file transfer to Guest OS 1 Operational ESXI-Storage Zero out vmdk prior to deletion. Shreds sensitive data to prevent data reconstruction from physical disk 1,2 Configuration ESXI Configure the ESXi host firewall to restrict access to services running on the host Restrict Access 1,2,3 28
ESXi Security Summary ESXi is a Full Featured Hypervisor Small, light-weight and secure Designed for one purpose - to host VMs ESXi Image Comprised of VIBs Ensures integrity, prevents tampering, instils confidence Enhanced auditing capabilities All activity logged under named user accounts Locked down Firewall, ESXiShellTimout, ESXiShellInteractiveTimeOut, Lockdown Mode Customization based on environment needs Align with hardening guide 29
Questions? Write to me @ Cedric.rajendran@gmail.com www.virtualknightz.com 30